func clientHelloServerName(br *bufio.Reader) (sni string) peeks the connection to read the entire client hello packet.
If read was successful, the client hello bytes are passed in to Go's tls to parse the packet and extract the SNI.
The client hello is peeked using a bufio.Reader, which is initialized by (p *Proxy) serveConn, using br := bufio.NewReader(c).
The call to bufio.NewReader initializes an internal backing buffer of size 4K.
If the client hello is bigger than 4K, the bufio.Reader.Peek call fails with bufio.ErrBuffFull, and this directly leads to the failure of the SNI matcher.
Specifically, I've been testing with Envoy as a TLS client which I've seen producing a client hello of size 5476 bytes (>4K).
I've attached a sample tcpdump capture.
big_client_hello.zip
func clientHelloServerName(br *bufio.Reader) (sni string)
peeks the connection to read the entire client hello packet. If read was successful, the client hello bytes are passed in to Go'stls
to parse the packet and extract the SNI.The client hello is peeked using a
bufio.Reader
, which is initialized by(p *Proxy) serveConn
, usingbr := bufio.NewReader(c)
. The call tobufio.NewReader
initializes an internal backing buffer of size 4K. If the client hello is bigger than 4K, thebufio.Reader.Peek
call fails withbufio.ErrBuffFull
, and this directly leads to the failure of the SNI matcher.Specifically, I've been testing with Envoy as a TLS client which I've seen producing a client hello of size 5476 bytes (>4K). I've attached a sample tcpdump capture. big_client_hello.zip
For reference, Go's TLS implementation supports client hellos of up-to 64KB: https://github.com/golang/go/blob/cda1e40b44771f8a01f361672cba721d0f283683/src/crypto/tls/common.go#L65
My personal suggestion is that we increase our
bufio.Reader
from the default 4K size to 64KB size.